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• GN&C (Guidance, Navigation, and 
Control) is one of the most central 
software system in an aircraft/spacecraft 


• Guidance: “Where do I want to go and 
how do I get there?” 

• Navigation: “Where am I?” 

• Control: “Which thrusters do I need to use 
to keep my attitude stable?” 
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Typical architecture: 

• PowerPC 750, RAM, Flash, 

• lObus: MIL 1553 or CAN bus (automotive) 

• OS: Real-time: VxWorks, RTLinux, OSEK compl.,... 


• “Black box” 


• run at different 
speeds 

- G: 2Hz 

- N: lOhz-IOOHz 

- C: 100Hz 


• in different 
processes 

• use comm layer 
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• Are there specific software constructs used in specific 
components? 

• These play a major role on how SWHM models will be 
constructed 

• Typical characteristics include 

- numerical computations? 

- branches? mode logic? state machines? 

- loops? 

- complex algorithms? (e.g., optimization) 

- communications structure 

- signals 
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C Testbed Example 



• “re-designed” Apollo lunar lander Autopilot 

• non-trival GN&C example 

• non-ITAR Simulink and Stateflow model 

• Downloadable from Mathworks 
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GN&C Architecture 



The selected GN&C architecture is typical for 


many aeronautics applications 

- guidance for autopilot functions (in particular for UAV) 

- navigation based on sensors (e.g., inertial reference 
unit, GPS) 

- control of actuators (mainly control surfaces) 

- implemented in software (often using model-based 
approaches), running on an embedded processor 

• Examples of related architectures are NASA 
IFCS, Dryden Platform Precision AutoPilot, 

Our demonstration example was selected because of realistic GN&C functionality, 
easy availability of model (non-ITAR and does not contain proprietary code) and 


straight-forward models of components not relevant for SWHM. 
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roll/pitch/yaw 


Operation 





• task: from attitude (0,0,0) obtain and keep attitude 
(0.1,0.05,0.02) 

• use the given set of control thrusters 
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Top Level structure 



Pilot 


Cmd 


Guidance 


Control 


SOFTWAR 


Navigation 


plant (model) 


The original example does not contain any navigational components. The “true” 
attitude and position is fed back to the Guidance and Controller. 

We are adding some “mock-up” sensors and some navigational code. 
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hysical Plant Model 


X ap_phys/ phys_system 


File Edit View Simulation Format Tools Help 

Inverse of the 
Inertia Matrix 





Omega_dot 




is used for simulation only. 

dynamics are described using differential 
equations (given acceleration, calculate position, 
rates, and rate changes) 
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Command Handling 


• extremely simple in this example 

• only the final position/attitude is provided 


• SW characteristics: 

- data communication 

- range issues 
-timing issues 
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Guidance 


The guidance component contains the 
actual algorithmic “meat” 


• Given the current state and the target 
state, find an optimal trajectory using as 
little fuel as possible and other constraints 


• This algorithm uses a fairly elaborate state 
machine that is modeled here as a 
Stateflow diagram 
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• SW characteristics 


- mainly discrete logic 

• if-then-else’s, 

• state machines, ... 

- internal state variables 
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Coastfctl 

This function establishes when the jets are to be turned off (coasting) 
Coastfctl = e - edot A 2I(2* Ralphs) - DB 


• (mathematical) relation between sensors and 
actuators 


• Characteristics: arithmetic code, delays, 
parameters. Usually very little SW branches 
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• tries to estimate state of the vehicle given 
(noisy) sensor readings 

• SW characteristics 

- Signal flow architecture 

- Kalman filters (recursive least square) 

- coordinate conversions 

- float-point arithmetic and matrix operations 

-few but important if-then-elses (e.g., to reset a 
diverging Kalman filter) 
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• This model can be “broken” at multiple 
parts 

- broken or noisy sensors/actuators 

- singularities in navigation (“crossing the date 
line”, see F22 Raptors flying to Japan) 

- logic errors in the guidance state machine 

-communication between G,N,C SW 
components 

-OS “problems”: timing, stack, memory, ... 
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Prototype testbed architecture to run the example 
software with/without failures and gather information 
from HW and SW sensors for further processing by the 
ISWHM reasoner (ISWHM server, not shown) 
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SW Characteristics 
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• (Feedback) loops are important for all 
kinds of iterative update 

-feedback control 

- iterative loops (for, while) 

- Kalman filters (Navigation) 
-optimization (while converging,...) 
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Simple Thermostat 



• Thermostat is a simplest possible feedback control loop. 

- combines arithmetic/calculation with feedback 

• Easy to understand, several ways to inject failures 

• Similar to a highly simplified aircraft control system, where the 
heater could be a control surface and the sensed temperature 
corresponds to, e.g., a roll-rate sensor. 
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• controller stuck open and close at t=1 5 
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Inside Temp 


outside temp 


• door remains open at t=20 
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• observables are time-series data 

- room temperature 

- heater on/off 
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translation of loop into a 
Bayes Network 

naive model is not a 
DAG 

BN must talk and reason 
about time series 

we experiment with 
several modeling 
approaches also using 
dynamic Bayes Nets 
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Dynamic BN 



temporal break-up 
adding Sensor nodes 
adding Health nodes 
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The full BN 
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Samlam: Sensitivity Analysis, Modeling, Inference and More 


File Edit Mode Query lools View Preferences Window Help 


File Edit Mode Query Tools View Preferences Window Help 
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Query Mode - [C:\Projects\Own\SWHM\May2010\Therm_jsc_9.net] 
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Query Mode - [C:\Projects\Own\SWHM\May2010\Therm_Jsc_9.net] 
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onclusions/Next Steps 


• SWHM has to take onto specific SW characteristics 

• BN has the potential 

- suitable for different SW “ingredients” 

- monitoring on different layers (OS, middle-ware, process 
level, individual SW component); modularity 

- potentially: generate SWHM BN from Simulink model 
(NOTE: ADAPT IVHM generates BNs from wiring 
diagrams) 

• improvement of test-bed 

- navigation component 

- failure injection 

- ARINC653 or OSEK model 

- SWHM modeling for testbed system 
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